Systrace

Intrusion detection.
Once policy has been generated, any operation not covered by policy indicates a security problem.

Automatic Policy Generation.
Records all system calls an application executes and generates policy to cover them.

Automatic Policy Enforcement.
Enforces the configured policies.
Denies and logs policy violations to syslog:

Jul  7 10:28:26 foo systrace: user: bar, prog: /usr/local/bin/irc, pid: 154(1), policy: /usr/local/bin/irc, filters: 80, syscall: native-execve(59), filename: /bin/sh